Episode 22 – Securing BGP

In part 3 of our deep dive into BGP operations, Nick Russo and Russ White join us again on Network Collective to talk about securing BGP. In this episode we cover topics like authentication, advertisement filtering, best practices, origin security, path security, and remotely triggered black holes.

We would like to thank Cumulus Networks for sponsoring this episode of Network Collective. Cumulus is offering you, our listeners, a completely free O’Reilly ebook on the topic of BGP in the data center. You can get your copy of this excellent technical resource here: http://cumulusnetworks.com/networkcollectivebgp

Show Notes:

Authentication

Classic MD5

Enhanced Authentication extensions (EA). Supported by IOS XR and allows for SHA1 as well, along with key-chain rotations. Doesn’t appear commonly used

GTSM, and how it can be better than the previous option in some cases

Basic prefix filtering:

From your customers: allow any number of their own AS prepended

From the Internet: block bogons (RFC1918, class D/E, etc)

To your peers: only your local space (ie, your customers)

From your peers: only routes originating from their AS (any # of prepends)

BCP38

Techniques for spoofing prevention

Describe with a simple snail mail analogy

Usually uRPF strict or loose, depending

Sometimes ACLs with specific IPs as sources are used too

Best suited for true customer edge, not transit/peering edge (performance)

Origin Security

Try to prevent the hijacking of routes

Hijacking is often used by spammers, etc., to source junk

The main idea is — is this AS number really tied to this address block?

The RPKI

Signed x.500 certificates

Carried around through a synchronized database (rsync)

The certificates are rooted in the RIRs

Which means that if you don’t pay your bill, your certificate is withdrawn — you lose the ability to route

MANRS

As your provider, I should know what addresses you plan to source services from

If you try to source something from a space you didn’t tell me about, and I can’t verify, I should block it

To some degree, relies on uRPF —

Not always realistic, so deployed on a case by case basis

Path Security

BGPsec

Onion signing of all BGP updates

This isn’t ever going to happen according to Russ

Kills performance — packing, per hop public key crypto

Either you have a timer in the update, converting BGP to RIP, or you have permanent replay attacks — there’s no clear solution to this problem